boot-debug.img is introduced to allow 'adb root' if the device is
unlocked, and it cannot be release signed. If /boot partition is chained
in AVB signing and boot-debug.img is used, avb_slot_verify() in
userspace will return AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
and fs_mgr will refuse to boot. This CL treats the public key rejection
as non-fatal for chained vbmeta to continue booting, if the device is
unlocked.
Bug: 129508966
Test: can root with user load which /boot chained in AVB signing
Change-Id: Idfa8caffbb96f33702b1749afd2e2a59616ddba7
Merged-In: Idfa8caffbb96f33702b1749afd2e2a59616ddba7
(cherry picked from commit 705fd7f52c)
umount_all is the cleanup step for mount_all.
In particular, the mount_all builtin creates a verity device,
'postinstall-verity', for the following line:
system /postinstall ... ... slotselect_other,logical,avb_keys=...
cppreopt umounts /postinstall but doesn't destroy the postinstall-verity
device, causing OTA to fail (because it cannot destroy the
system_[other] device). umount_all also destroy the verity device.
Note that mount_all does not map system_[other]; it is mapped by
first stage init. Hence, umount_all doesn't destroy it either. The OTA
client is reponsible for unmapping the device itself.
Bug: 129988285
Test: flash, boot, then check `dmctl list devices`, then OTA
Change-Id: Id3ab65b3860b6ea6cfec310ab13652009c81f415
On some devices (e.g., emulator), init needs to read AVB footer from
a logical partition because:
1) Dynamic/logical partition is enabled
2) The partition is AVB chained, i.e., need to locate footer from the end
3) Logical partition is not understandable by bootloader,
but there is no bootloader in this case
Bug: 125540538
Bug: 128434470
Test: boot and force the fallback path, to check it can get logical path
Change-Id: Ie304bce234cbf0f938f386f7ce59235c851e0e2d
Merged-In: Ie304bce234cbf0f938f386f7ce59235c851e0e2d
(cherry picked from commit 84d4933686)
The FstabEntry.avb_key is renamed to FstabEntry.avb_keys, to
allow specifying multiple avb keys, separated by ':'
(because ',' is already used by fstab parsing).
Bug: 124013032
Test: boot live GSI with multiple allowed AVB keys
Change-Id: Iacd3472a1d5a659dfecf09ea6074d622658f4d0b
This commit extracts the security patch level (SPL), e.g.,
com.android.build.system.security_patch = 2019-04-05 from AVB property
descriptors when attempting to mount a standalone image (e.g., live
GSI). Then compares the SPL between the old system.img and the new live
system.img for rollback protection.
Bug: 122705329
Test: boot an old Live GSI, checks rollback is detected
Change-Id: I7aae58c0b2062a3ff57ed932ad58e7b604453fed
The client can include <fs_avb/fs_avb_util.h> to use the two new
functions to load vbmeta for a FstabEntry and extract the hash tree
descriptor from the loaded vbmeta, respectively.
// Given a FstabEntry, loads and verifies the vbmeta.
std::unique_ptr<VBMetaData> LoadAndVerifyVbmeta(...);
// Gets the hashtree descriptor with avb_partition_name from the vbmeta.
std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor(...);
Bug: 65470881
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: atest libfs_avb_device_test
Change-Id: I7d6619eb8140c14734ffb8f8a1b22cddd2f562f0
This allows the client to get the public key data without need to
provide the expected key data to load vbmeta. Then do the comparison by
themselves, to allow "key rotation".
Bug: 65470881
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: boot a device
Change-Id: Icd4e317c2f79cd35e46cdd14f858575ee692facd
The following static function has been added into class AvbHandle to
support loading the AVB hashtree descriptor to enable dm-verity for
a FstabEntry.
static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry);
Bug: 112103720
Bug: 117960205
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: Add /system/etc/system_other.avbpubkey, then add
avb_key=/system/etc/system_other.avbpubkey into /system/etc/fstab.postinstall.
factory reset, boot a device and checks that system_other is
mounted with verity (see the serial log below)
Serial log:
-----------
init: [libfs_avb]Built verity table: '1 /dev/block/by-name/system_a
/dev/block/by-name/system_a 4096 4096 8521
8521 sha1 895ba03023a35172b393429fadad9ee228b39203
3405d16fec2cd12ad9e6b36d3bc983e1e83b5e09 10 use_fec_from_device
/dev/block/by-name/system_a fec_roots 2 fec_blocks 8589 fec_start 8589
restart_on_corruption ignore_zero_blocks'
init: [libfs_mgr]superblock s_max_mnt_count:65535,/dev/block/dm-7
init: [libfs_mgr]__mount(source=/dev/block/dm-7,target=/postinstall,type=ext4)=0:
Success
Change-Id: Ie339a43ff9c6a7d170e12ef466df666b98ddec19
This commits adds the following two public functions into
class AvbHandle, and verified by 'libfs_avb_test':
static AvbUniquePtr LoadAndVerifyVbmeta(); // loads inline vbmeta.
static AvbUniquePtr LoadAndVerifyVbmeta( // loads offline vbmeta.
const std::string& partition_name, const std::string& ab_suffix,
const std::string& ab_other_suffix, const std::string& expected_public_key,
const HashAlgorithm& hash_algorithm, bool allow_verification_error,
bool load_chained_vbmeta, bool rollback_protection,
std::function<std::string(const std::string&)> custom_device_path = nullptr);
The first function LoadAndVerifyVbmeta() will be used to replace Open(),
in a separate CL in the future. Many libfs_avb internal utils are added
into avb_util.cpp as well, which are verified by
'libfs_avb_internal_test'.
Bug: 112103720
Bug: 117960205
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I807b8af0b69c9a4511f6f120e9754aca5442830e
Damaged avb metadata can result in avb_slot_verify returning a
nullptr in avb_slot_data. Instead of an illegal access
violation in first_stage_init, we return the verify_result so
that it can be acted upon.
Test: confirm happenstance damaged vbmeta does not crash init.
Change-Id: I15be5bd32760bcc3418c5d8a943b016c0ddd56bc
This commit has the following changes:
1. Builds libfs_avb via "fs_mgr/libfs_avb/Android.bp" instead of
"fs_mgr/Android.bp", and removes the libfs_avb source
dependencies on "fs_mgr/fs_mgr_priv.h".
2. Moves static functions in fs_avb.cpp into util.cpp or
avb_util.cpp, depending on whether the function is related to
AVB or not.
3. Introduces two host unit tests: libfs_avb_test and
libfs_avb_internal_test, the former is to test public
<fs_avb/fs_avb.h> APIs, while the latter is to test libfs_avb
internal functions.
4. Splits fs_avb_unittest_util.* into:
- fs_avb_test_util.* (host static lib: libfs_avb_test_util),
- basic_test.cpp (host executable: libfs_avb_test)
Bug: 112103720
Bug: 117960205
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: boot a device
Change-Id: I11d6c9e9019e20b594d9321b9a28118d4806e5a7
Currently vbmeta images are stored in AvbSlotVerifyData defined in
libavb, which contains some fields that isn't needed by fs_mgr.
e.g., loaded_partition, rollback_indexes. Adding a new class VBMetaData
to replace it.
Bug: 112103720
Bug: 117960205
Test: boot crosshatch
Change-Id: I480461dad3c6aca7e028097662a3b06c3aa6646d
This commit adds the fundamental test framework for the upcoming
changes in libfs_avb. It replies on 'avbtool' to append AVB
metadata and then extracts the vbmeta content into an internal
|vbmeta_images_| variable for comparison later.
Bug: 117960205
Test: m libfs_avb_host_unittest
Test: ./out/host/linux-x86/nativetest/libfs_avb_host_unittest/libfs_avb_host_unittest
Test: atest --rebuild-module-info
Test: atest libfs_avb_host_unittest
Change-Id: I0cb8e8f04bc4b8628576565e7ff1920d7c81ecac
This CL also adds namespace android::fs_mgr and remove FsManager* prefix
for class names. Note that android::fs_mgr::FsManagerAvbOps will be removed
in later CLs when fs_mgr doesn't rely on libavb->avb_slot_verify() to
parse vbmeta structs.
Some lingering sources for by_name_symlink_map_ are also removed.
Bug: 112103720
Test: boot crosshatch_mainline-userdebug
Change-Id: I2d1a5cc39bcd5a699da8d5539f191d8c7737c4af
